Merge pull-request 23 (constant-time compare)

Author: warner

lib/srp.js

@@ -317,9 +317,16 @@ function getM2(params, A_buf, M_buf, K_buf) {
 }
 
 function equal(buf1, buf2) {
-  // TODO: constant-time comparison. A drop in the ocean compared to our
+  // constant-time comparison. A drop in the ocean compared to our
   // non-constant-time modexp operations, but still good practice.
-  return buf1.toString('hex') === buf2.toString('hex');
+  var mismatch = buf1.length - buf2.length;
+  if (mismatch) {
+    return false;
+  }
+  for (var i = 0; i < buf1.length; i++) {
+    mismatch |= buf1[i] ^ buf2[i];
+  }
+  return mismatch === 0;
 }
 
 function Client(params, salt_buf, identity_buf, password_buf, secret1_buf) {